Versions Compared

Old Version 9

changes.mady.by.user Former user

Saved on

compared with

New Version 10

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

...

Apart from triaging suspicious alerts and defining investigations, there's one additional step that allows users to get deeper into an investigation. In the Hunting area of the application, users can perform a global search across the whole system and find the events that are related to a specific entity.

Click this icon Image Removed in the Hunting button in the top navigation bar to access the Hunting thisarea.

...

Perform a threat hunting

Follow these steps to perform threat hunting:

...

Rw ui steps macro
Rw step

Click the Alert wizard button at the top right part of the Hunting area.

Image RemovedImage Added
Rw step

Fill in the general information of the new SecOps alert, at the left part of the window:

Field

Description

Name mandatory

Enter the name of the new SecOps alert.

Summary mandatory

A short message used to identify the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName.

Description mandatory

The full description of the alert condition. As in the standard Devo alerts, you can include field values associated with the alert using the case-sensitive variable $columnName.

Priority

Choose the required alert priority between Critical, High, Medium, Low, and Info.

Type

Choose the type of alert: Analytics, Detection, Observation, or Model.

MITRE Tactics

Select the required MITRE tactic.

MITRE Techniques

Select the required MITRE technique.

Rw step

The next step is adding the required entities to the alert. Click the Add entities button at the right part of the window and select at least one entity type from the list. Then, enter up to 10 values of the selected type separated by a line break. In the capture below, we added the IP entity type and specified 2 different IP addresses.

Click Next to go to the next step.

Rw step

In this step, you must select the tables and fields where you want to search the values specified before. Click Add table-field and choose the required table(s) and fields. You must select at least one table and field.

Click Next to go to the next step.

Rw step

In this step, you can define filters to be applied in the selected table fields. To do it, click Add field, then select the required field in the Field to include dropdown and choose a Filter type.

Info

SecOps Whitelisting

There's a special filter type called Apply SecOps Whitelisting. Apply this filter to check if the values in the specified field are included or not in the SecOps whitelisting lookup.

Click Next to go to the next step.

Rw step

Finally, you'll see a summary including all the selected settings. You can edit each one by clicking the pencil icon next to it. Optionally, you can include geolocation data to your alert by switching on the Geolocation enrich toggle. Before creating the alert, you must click Test query. The system will verify that everything is correct and the query define to run the alert is correct. Once you're done, click Create.

...